I've gone back to the beginning and started again with RouterOS and my Wireguard configuration.
Now I only have my PC (192.168.1.202) and my ISP link connected to the router.
Access to the Internet is fine using my ISP PPoE connection.
However, although I can see Wireguard packets being transmitted I do not receive any replies.
My remote Wireguard server is working as if I use Windows Wireguard with the same profile on my PC, it works and I can ping the remote address 10.128.1.1
Having read many articles and the Mikrotik documentation, it seems I should be either using a new Routing Table and routing rules or perhaps use Mangle?
Mangle is a new topic for me and I do not yet fully understand it.
My aim is to use the internet for all router connected clients but for my PC (192.168.1.202) to access the remote 10.128.0.0 network for admin purposes as required.
Please can you guide me in the right direction and suggest a way forward as I'm getting nowhere with this after many days of investigation?
Thanks
Here is my current config
2025-03-26 12:45:40 by RouterOS 7.18.2
/interface bridge
add admin-mac=F4:1E:57:AB:9A:AA auto-mac=no name=bridge port-cost-mode=short
/interface ethernet
set [ find default-name=sfp1 ] advertise="10M-baseT-half,10M-baseT-full,100M-b
aseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full"
/interface wireguard
add listen-port=44945 mtu=1420 name=wg2
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether5 name=zen use-peer-dns=
yes user=******
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool2 ranges=192.168.1.50-192.168.1.69
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge lease-time=10m name=dhcp2
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/ppp profile
add name=Draytek use-compression=yes
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge ingress-filtering=no interface=ether2 internal-path-cost=10
path-cost=10
add bridge=bridge ingress-filtering=no interface=ether3 internal-path-cost=10
path-cost=10
add bridge=bridge ingress-filtering=no interface=ether4 internal-path-cost=10
path-cost=10
add bridge=bridge ingress-filtering=no interface=sfp1 internal-path-cost=10
path-cost=10
add bridge=bridge ingress-filtering=no interface=ether1 internal-path-cost=10
path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether5 list=WAN
add interface=zen list=WAN
add interface=wg2 list=LAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:5C:B1:FF:90:7F name=ovpn-server1
/interface wireguard peers
add allowed-address=10.128.0.0/16 endpoint-address=
endpoint-port=51820 interface=wg2 name=peer1 persistent-keepalive=30s
public-key="*****************************************"
/ip address
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
add address=10.8.0.12/24 interface=wg2 network=10.8.0.0
add address=10.128.1.0/24 interface=wg2 network=10.128.1.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=accept chain=forward dst-address=10.128.1.0/24 src-address=
192.168.1.0/24
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=Wireguard disabled=yes
src-address=10.8.0.0/24
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=2m
dpd-maximum-failures=5 enc-algorithm=aes-256,aes-128,3des
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/London
/system logging
add topics=ipsec
add topics=pptp
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN